Playing with computers since age 13, time to start documenting all the wonderful things and treasures I have discovered and developed - also a blog to serve as a time-saver by not having to reinvent the wheel.

Search

Friday, February 8, 2019

Avoiding "Bad protocol version identification" attacks

I see sporadic attacks to my internet-facing servers in the form of protocol violations on the ssh port. These typically look like (from two different servers):

(The 10.100.0.x sources are from my test runs for replicating the "Bad protocol" error messages.)

It appears this nuisance is caused by folks mistakenly, or with nefarious intentions, sending HTTPS web requests to SSHD or vice-versa. (Maybe the fact that I forward port 443 to port 22 on some servers just for sadistic pleasure may have something to do with it.)

The following command line produces a list of IP addresses causing this kind of attacks, and filters out the private subnets:

These IPs can then be added to any IP blocklist in use. I plan to add them to my popular free public IP blocklist at http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt (which started off as a list of Mirai botnet attack sources but is much more now over the years).